More card-stealing malware found

The actual bot code is called ChewBacca and was described in detail recently by Kaspersky Lab. As Kaspersky explains, ChewBacca communicates with it's C&C (Command and Control) server over the Tor network, obscuring the IP addresses of parties. According to RSA, this particular botnet has been collecting track 1 and 2 data of payment cards since October 25.

The ChewBacca bot steals data from systems in two ways: It has a keylogger and it scans memory dumps it creates for credit card data. It communicates this data over the Tor network to a C&C.

After execution, the bot creates a copy of itself named spoolsv.exe (to give the impression it is a spooler service) and puts that copy in the Windows Start->Startup folder so that it is loaded at login time. The program creates a log file named system.log in the %temp% folder. This file contains the keystroke events along with changes in Windows focus to indicate where the keystrokes were going.

Neither the RSA nor the Kaspersky descriptions explain how the ChewBacca bot is propagated. RSA has observed it mostly in the US, but also in Russia, Canada and Australia. They say that it has stolen payment card information from several dozen retailers around the world in a little more than two months.